GitLab

1. I removed exports_setup from tbacct, we seem to have fixed all the
   places where we were touching the user home directory during account
   creation.

2. I also removed exports_setup from web login for nonlocal (geni) users,
   since nothing on the Cloudlab path touches the user home directory,
   including starting a new experiment (geni users are not allowed to use
   any other part of the web interface, so Emulab Classic is off limits).

when a user logs in so that their home directory and projects are exported
from ops. Otherwise things break.

Since we really do not want to do this too often, exports_setup is
exporting anyone who is logged in within the last week, and the web
interface is calling out to exports_setup only once a day for each user.

This can be "improved" but I am worried we are fighting a losing battle and
will eventually yank this code anyway.

Add check for pswd_expires=null setting; never expires.

we know (suspect) the user has an account, so redirect to the login
page. There is a new Continue as Guest button on the login page in
case that is what the user really wants to do.

link on the showuser page for local admins (Mike) to get some
old pages.

authenticate Geni users to CloudLab (who do not have Emulab accounts).
CloudLab users must have an account to do anything (unlike APT which allows
guest users). But instead of requiring them to go through the Emulab
account creation (high bar), let then use their Geni credentials to prove
who they are. We then build a local account for that new user, and save off
the speaksfor credential so that we can act on their behalf when talking to
the backend clusters (and their MA to get their ssh keys).

These users do not have a local account password, so they cannot log into
the web interface using the Emulab login page, nor do they have a shell on
ops.

Once authenticated, we put the appropriate cookies into the browser via
javascript, so they can use the Cloud (okay, APT) web interface (they
appear logged in).

I make use of the nonlocal_id field of the users table, which was not being
used for anything else. Officially, these are "nonlocal" users in the code
(IsNonLocal()).

When a nonlocal user instantiates a profile, we use their speaksfor
credential to ask their home MA for their ssh keys, which we then store in
the DB, and then provide to the aggregate via the CreateSliver call.
Note that no provision has been made for users who edit their profile and
add keys; I am not currently expecting these users to stumble into the web
interface (yet).

logged in users too.

start of a page to create new profiles, lots of other changes
and additions.

That option is no longer supported as of PHP 5.4.

This commit is intended to makes the license status of Emulab and
ProtoGENI source files more clear.  It replaces license symbols like
"EMULAB-COPYRIGHT" and "GENIPUBLIC-COPYRIGHT" with {{{ }}}-delimited
blocks that contain actual license statements.

This change was driven by the fact that today, most people acquire and
track Emulab and ProtoGENI sources via git.

Before the Emulab source code was kept in git, the Flux Research Group
at the University of Utah would roll distributions by making tar
files.  As part of that process, the Flux Group would replace the
license symbols in the source files with actual license statements.

When the Flux Group moved to git, people outside of the group started
to see the source files with the "unexpanded" symbols.  This meant
that people acquired source files without actual license statements in
them.  All the relevant files had Utah *copyright* statements in them,
but without the expanded *license* statements, the licensing status of
the source files was unclear.

This commit is intended to clear up that confusion.

Most Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the Affero GNU General Public License, version 3
(AGPLv3).

Most Utah-copyrighted files related to ProtoGENI are distributed under
the terms of the GENI Public License, which is a BSD-like open-source
license.

Some Utah-copyrighted files in the Emulab source tree are distributed
under the terms of the GNU Lesser General Public License, version 2.1
(LGPL).

peert) login.

When running from suexec, no need to give full path to the minary,
or to re-direct stdout and stderr.

exp. visualization code.

  write-vis-auth-boss -> write-vis-auth
  write-vis-auth-ops -> write-vis-auth.proxy

more than one instance from running at once and 2) can run in the
background by mailing testbed-ops on error.

deleted, they still remain in the user table with a status of
"archived", but since all the queries in the system now use uid_idx
instead of uid, it is safe to reuse a uid since they are no longer
ambiguous. 

The reason for not deleting users from the users table is so that the
stats records can refer to the original record (who was that person
named "mike"). This is very handy and worth the additional effort it
has taken.

There is no way to ressurect a user, but it would not be hard to add.

from the old domain no longer exist to avoid strange behavior.

* If a user is web frozen make sure they got logged out next access.

* If a user is web frozen, do not let them change their password, put
  up a message to contact tbops.

* If a user is frozen, say so when the login fails so that they do not
  keep trying!

CHECKLOGIN_MAYBEVALID.  Also fixup index.php3 so it always
redirects to https on the same error.

Added new helper function RedirectHTTPS which will redirect to https
if necessary.

redirect to the login page rather than printing a message with a link
to the page.  Otherwise send a "403 Forbidden" to keep robots from
indexing the page.  Also send appreciate HTTP responses on other
precheck errors to keep a robot from indexing the page.  In order to
do this the PAGEHEADER call needed to be moved to after
CheckLoginOrDie and Required/OptionalPageArguments on many pages.  A
warning will be printed if either CheckLoginOrDie or
Required/OptionalPageArguments detects that PAGEHEADER was already
called.

Also change the redirect in kb-show to be a permanent redirect (301)
rather than a temporary one (302) which is the default unless a status
code is given.

special people).

emulab to the protogeni wiki, but I use it for all of the wikis. The
basic idea is that the emulab backend inserts a hash value into the
cookie table in the trac DB on ops (via ssh). Then Emulab issues a
redirect over to the trac wiki, with the uid/hash values as arguments
to the xlogin URL. This hash is use-once; if it exists in the cookies
table, it is deleted and a new one generated by the underlying auth
module, and a cookie returned to the browser. The user is thus logged
in for all subsequent access.

Why? Cause emulab.net cannot insert auth cookies for protogeni.net, so
must let the auth module inside trac insert the cookie.